WHATWG
2023-03-18
plaintext logs
prev next
source on github
07:36
<annevk>
asuth: zcorpan: if Gecko has any feedback on https://github.com/whatwg/fs/pull/96 Monday would be a good time to chime in, Austin and I are pretty close to calling it done
12:28
<jub0bs>

The Fetch standard states the following

Credentials are HTTP cookies, TLS client certificates, and authentication entries (for HTTP authentication).

and it also defines authentication entries as follows:

An authentication entry and a proxy-authentication entry are tuples of username, password, and realm, used for HTTP authentication and HTTP proxy authentication, and associated with one or more requests.

However, unless I'm missing something, not all authentication entries count as credentials in the sense used by CORS. For instance, Basic Zm9vOmJhcgo= does count as credential and, if present, will be automatically attached by the browser to credentialed requests issued by the client; but Bearer whatever doesn't count as credential in that sense.

Is the Fetch standard accurate in that respect? What am I missing? And if only some authentication entries count as credentials, is there some authoritative list of them?

15:07
<annevk>
jub0bs: I'd support a PR renaming "credentials" to "user-agent-bound credentials"
15:08
<annevk>
There are indeed many other forms of credentials, but they're not mediated by the user agent in some fashion
16:15
<jub0bs>
Thanks annevk. I do like the more precise term you suggest. But then my question becomes the following: Is there a standard definition of user-agent-bound credentials?
16:38
<asuth>
asuth: zcorpan: if Gecko has any feedback on https://github.com/whatwg/fs/pull/96 Monday would be a good time to chime in, Austin and I are pretty close to calling it done
Thanks, I'll pass it along.